An open DNS resolver is a DNS server that resolves recursive DNS queries from anybody on the internet.
The way this attack works is pretty simple. An attacker might induce your server to participate in a DDoS by sending it a recursive DNS query that returns a big quantity of data. Which is considerably larger than the original DNS request packet because your server will resolve recursive DNS searches from anyone.
They'll send this extra traffic to their victims' computers instead of their own, and they'll make as many requests as they can to your server and any other open DNS resolvers they can locate by impersonating their IP address. In this way, someone with a small pipe can “amplify” a denial of service attack by using all of their bandwidth to direct a considerably bigger volume of data at their victims.
Solving DNS recursion in Linux
If you need the DNS resolver, we politely ask you to only allow access from your own trusted sources. This can be accomplished by creating a firewall rule, which allows traffic to port 53/udp from your particular IP addresses/network.
How to check the port?
You can block port 53/udp in your firewall. To see if your server is vulnerable you can use the following command to see if the port is still open/closed:
$ sudo nmap -sU -p 53 --script=upnp-info IP
PORT STATE SERVICE VERSION
53/udp open|filtered upnp
How to close it?
Debian:
$ sudo ufw deny 53
CentOS:
$ sudo firewall-cmd --zone=public --permanent --remove-port=53/udp
$ sudo firewall-cmd --reload
IP tables:
iptables –A INPUT –p udp –s xxxx.xxxx.xxxx.xxxx/24 --dport 53 –d xxxx.xxxx.xxx.xxxx
(The -d stands for destination, so this is where you ideally would like to fill in your DNS servers IP)
Although BIND is the most often used DNS server, if you use another DNS server, you should review its documentation. You can disable open DNS resolvers in Bind by adding the following lines to the options section of /etc/named.conf (as root):
options {
allow-query-cache { none; };
recursion no;
};
Finally, when everything is configured you can restart the service and test if it runs by issuing the following command:
dig example.com @your_dns_ip +short
If you don't receive a response/answer you know that recursive DNS is blocked for all untrusted sources.
Comments
Article is closed for comments.